search

microsoft / teams-ai

SDK focused on building AI based applications and extensions for Microsoft Teams and other Bot Framework channels
MIT License
403 stars 176 forks source link

[Bug]: 3rd party Idp with ME SSO #1572

Closed ShujaathKhan closed 3 weeks ago

ShujaathKhan commented 5 months ago

Language

Javascript/Typescript, Python

Version

latest

Description

We're looking at the scenario where we can integrate Third party Idp in Microsoft teams message extension with SSO.

We got started with sample repo placed over here : 1.https://github.com/microsoft/teams-ai/tree/main/js/samples/05.authentication/e.teamsSSO-messageExtension

  1. About 3rd party integration implementation : https://learn.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/how-to/add-authentication
  2. auth-start code we modified for 3rd party sign-in image
  3. here we're trying to create user signed-in session image

The ultimate goal we're to do here have M365 copilot work for plugin and get items based on context. example for assume gmail.com based on logged user it should be able to get mails.

Reproduction Steps

1. we revised the auth-start html pages to redirect it to third party and SSO was successful
2. We got the code back in end-auth.html
3. We're not able to create SSO session though we've successful sign-in done.

Many examples we've got all talk about Entra but no less examples of third party IDP integration part.
### Tasks
singhk97 commented 5 months ago

Can you elaborate more on how you're not able to create the SSO session? From the end users perspective (as well as the bot perspective) what happens once you get the code back in end-auth.html.

ShujaathKhan commented 5 months ago

I'm looking for any elegant code where can save the code we receive at end-auth.html in turnState so the login link doesn't comes-up when user tries to do some search query.

kjboogie commented 4 months ago

Hey @ShujaathKhan ,

you can refer to my repository for third-party SSO. - https://github.com/kjboogie/M365-Copilot-Plugin-Message-extension-SSO-Third-party-authentication

you cannot use ApplicationBuilder() to initiate the authentication for third party. This is only valid with Microsoft's internal sso auth, also you need to initiate authentication from the server side, specifically from - handleTeamsMessagingExtensionQuery( context: TurnContext,query: MessagingExtensionQuery ), so that when your client closes after token generation, via auth-end.html, we are sending back the token and it should be accessible inside this function by context.activity.value.state.

When your handleTeamsMessagingExtensionQuery() initiates something that goes outside the team's client, the team's client waits and captures in the same function inside -> 'context'.

In auth-end.html - microsoftTeams.authentication.notifySuccess(hashParams['code']); , this sends a response back to the teams client. We capture this code and generate tokens that are later set in the 'memory storage' of botbuilder .

From searchApps.ts - we will send ComposeExtension of type 'auth' to the front end to initiate signing. Create a function and call it from handleTeamsMessagingExtensionQuery(). You can call like - return this.staticHtmlPage(); image

From auth.html/auth-start.html - We will call out the third-party auth URL with a redirect URL to auth-end.html image

From auth-end.html - we will send the generated code back to our team client i.e.handleTeamsMessagingExtensionQuery() . You can access the code by - context.activity.value.state image

I am saving the token in UserStateand saving the UserState to MemoryStorage. Both of these are part of "botbuilder". I am already initializing these in index.ts and passing them to searchapps while initializing them from index.ts.

Hope this solution will fix your problem.

singhk97 commented 1 month ago

Thanks @kjboojie for the solutoin. @ShujaathKhan can you share if this fixes your problem?

singhk97 commented 3 weeks ago

I'm closing this issue for now. @ShujaathKhan please re-open if your problem still persists.